OS X 10.9 ("Mavericks") or Higher

Unsigned Application

To get an unsigned version of Tunnelblick or your rebranded version, build an "Unsigned Release" of the source code using the instructions at Building From Source.

Code signing Certificate

The code signing certificate can be a "self-signed" certificate or a certificate from Apple. There is one difference: if you use a self-signed certificate, Gatekeeper in OS X 10.8 ("Mountain Lion") and higher may not allow the first run of the self-signed application by double-clicking it. The user will need to Control-click and click "Open". That is because the Gatekeeper default is to allow the first launch of an application only if it is signed by an Apple-recognized developer.

To get a self-signed code signing certificate, use the macOS Keychain Assistant application. Apple used to have instructions on doing this but they have disappeared. They may be accessed from the Internet Archive using this link,

To get an certificate from Apple, you must be an Apple Developer. Request your Apple certificates and install them into your Keychain. You can do this from Xcode.

Designated Requirement Binary

You can use a "designated requirement binary" to set requirements for how an application is to be signed. For example, you can require that the Info.plist's CFBundleIdentifier be "com.example.foo". Generating this binary can be done in Xcode, consult Apple's documentation. The only catch is that requirements created in some recent versions of Xcode are considered invalid by OS X 10.5 ("Lion") and will cause problems. Tunnelblick uses a signing requirements binary created on an older version of Xcode that does not cause this problem. See Gatekeeper vs. Leopard: an ongoing tale.

SIGNING SCRIPT

Use following script to sign Tunnelblick or a rebranded version of Tunnelblick: